Driver

A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used[1][2]

ID: DS0027
Platforms: Linux, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022

Data Components

Driver: Driver Load

Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)

Driver: Driver Load

Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)

Domain ID Name Detects
Enterprise T1547 Boot or Logon Autostart Execution

Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

.008 LSASS Driver

With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. [3] Utilize the Sysinternals Autoruns/Autorunsc utility [4] to examine loaded drivers associated with the LSA.

.012 Print Processors

Monitor for unusual kernel driver installation activity that may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

Enterprise T1543 Create or Modify System Process

Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles.

.003 Windows Service

Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles.

Enterprise T1561 Disk Wipe

Monitor for unusual kernel driver installation activity that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources.

.001 Disk Content Wipe

Monitor for unusual kernel driver installation activity may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

.002 Disk Structure Wipe

Monitor for unusual kernel driver installation activity may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Enterprise T1068 Exploitation for Privilege Escalation

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.[5] Higher privileges are often necessary to perform additional actions such as some methods of OS Credential Dumping. Look for additional activity that may indicate an adversary has gained higher privileges.

Enterprise T1562 Impair Defenses

Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products.

.001 Disable or Modify Tools

Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products.

Enterprise T1056 Input Capture

Monitor for unusual kernel driver installation activity

.001 Keylogging

Monitor for unusual kernel driver installation activity

Enterprise T1111 Multi-Factor Authentication Interception

Monitor for use of proxied smart card connections by an adversary may be difficult because it requires the token to be inserted into a system; thus it is more likely to be in use by a legitimate user and blend in with other network behavior. Similar to Input Capture, keylogging activity can take various forms but can may be detected via installation of a driver.

Driver: Driver Metadata

Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking

Driver: Driver Metadata

Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking

Domain ID Name Detects
Enterprise T1542 Pre-OS Boot

Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation

.002 Component Firmware

Monitor for unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation

References